Merge pull request #263 from lpiwowar/bugfix/runAsNonroot-and-automou…

…ntServiceAccountToken Disable insecure parameters by default
openstack-k8s-operators · Jan 13, 2025 · 0da95da · 0da95da
2 parents 4cba21d + 0a23722
commit 0da95da
Show file tree

Hide file tree

Showing 16 changed files with 118 additions and 85 deletions.
diff --git a/api/bases/test.openstack.org_ansibletests.yaml b/api/bases/test.openstack.org_ansibletests.yaml
@@ -145,12 +145,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

diff --git a/api/bases/test.openstack.org_horizontests.yaml b/api/bases/test.openstack.org_horizontests.yaml
@@ -158,12 +158,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               projectName:
                 default: horizontest

diff --git a/api/bases/test.openstack.org_tempests.yaml b/api/bases/test.openstack.org_tempests.yaml
@@ -152,12 +152,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

diff --git a/api/bases/test.openstack.org_tobikoes.yaml b/api/bases/test.openstack.org_tobikoes.yaml
@@ -142,12 +142,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               publicKey:
                 default: ""

diff --git a/api/v1beta1/common.go b/api/v1beta1/common.go
@@ -45,12 +45,13 @@ type CommonOptions struct {
 	// +kubebuilder:validation:optional
 	// +kubebuilder:default=false
 	// +optional
-	// Use with caution! This parameter specifies whether test-operator should spawn test
-	// pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-	// default capabilities on top of capabilities that are usually needed by the test
-	// pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-	// certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-	// CR, or certain set of tobiko tests).
+	// Use with caution! This parameter specifies whether test-operator should spawn
+	// test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+	// runAsNonRoot: false, automountServiceAccountToken: true, and the default
+	// capabilities on top of capabilities that are usually needed by the test
+	// pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+	// needed for certain test-operator functionalities to work properly (e.g.:
+	// extraRPMs in Tempest CR, or certain set of tobiko tests).
 	Privileged bool `json:"privileged"`
 
 	// +operator-sdk:csv:customresourcedefinitions:type=spec

diff --git a/api/v1beta1/common_webhook.go b/api/v1beta1/common_webhook.go
@@ -12,9 +12,9 @@ const (
 const (
 	// WarnPrivilegedModeOn
 	WarnPrivilegedModeOn = "%s.Spec.Privileged is set to true. This means that test pods " +
-		"are spawned with allowPrivilegedEscalation: true, readOnlyRootFilesystem: false " +
-		"and default capabilities on top of those required by the test operator " +
-		"(NET_ADMIN, NET_RAW)."
+		"are spawned with allowPrivilegedEscalation: true, readOnlyRootFilesystem: false, " +
+		"runAsNonRoot: false, automountServiceAccountToken: true and default " +
+		"capabilities on top of those required by the test operator (NET_ADMIN, NET_RAW)."
 
 	// WarnPrivilegedModeOff
 	WarnPrivilegedModeOff = "%[1]s.Spec.Privileged is set to false. Note, that a certain " +

diff --git a/config/crd/bases/test.openstack.org_ansibletests.yaml b/config/crd/bases/test.openstack.org_ansibletests.yaml
@@ -145,12 +145,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

diff --git a/config/crd/bases/test.openstack.org_horizontests.yaml b/config/crd/bases/test.openstack.org_horizontests.yaml
@@ -158,12 +158,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               projectName:
                 default: horizontest

diff --git a/config/crd/bases/test.openstack.org_tempests.yaml b/config/crd/bases/test.openstack.org_tempests.yaml
@@ -152,12 +152,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

diff --git a/config/crd/bases/test.openstack.org_tobikoes.yaml b/config/crd/bases/test.openstack.org_tobikoes.yaml
@@ -142,12 +142,13 @@ spec:
               privileged:
                 default: false
                 description: |-
-                  Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
-                  default capabilities on top of capabilities that are usually needed by the test
-                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
-                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
-                  CR, or certain set of tobiko tests).
+                  Use with caution! This parameter specifies whether test-operator should spawn
+                  test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false,
+                  runAsNonRoot: false, automountServiceAccountToken: true, and the default
+                  capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is
+                  needed for certain test-operator functionalities to work properly (e.g.:
+                  extraRPMs in Tempest CR, or certain set of tobiko tests).
                 type: boolean
               publicKey:
                 default: ""

diff --git a/config/manifests/bases/test-operator.clusterserviceversion.yaml b/config/manifests/bases/test-operator.clusterserviceversion.yaml
@@ -89,11 +89,12 @@ spec:
         displayName: Open Stack Config Secret
         path: openStackConfigSecret
       - description: 'Use with caution! This parameter specifies whether test-operator
-          should spawn test pods with allowedPrivilegedEscalation: true and the default
-          capabilities on top of capabilities that are usually needed by the test
-          pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed
-          for certain test-operator functionalities to work properly (e.g.: extraRPMs
-          in Tempest CR, or certain set of tobiko tests).'
+          should spawn test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem:
+          false, runAsNonRoot: false, automountServiceAccountToken: true, and the
+          default capabilities on top of capabilities that are usually needed by the
+          test pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it
+          is needed for certain test-operator functionalities to work properly (e.g.:
+          extraRPMs in Tempest CR, or certain set of tobiko tests).'
         displayName: Privileged
         path: privileged
       - description: StorageClass used to create any test-operator related PVCs.
@@ -283,11 +284,12 @@ spec:
         displayName: Password
         path: password
       - description: 'Use with caution! This parameter specifies whether test-operator
-          should spawn test pods with allowedPrivilegedEscalation: true and the default
-          capabilities on top of capabilities that are usually needed by the test
-          pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed
-          for certain test-operator functionalities to work properly (e.g.: extraRPMs
-          in Tempest CR, or certain set of tobiko tests).'
+          should spawn test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem:
+          false, runAsNonRoot: false, automountServiceAccountToken: true, and the
+          default capabilities on top of capabilities that are usually needed by the
+          test pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it
+          is needed for certain test-operator functionalities to work properly (e.g.:
+          extraRPMs in Tempest CR, or certain set of tobiko tests).'
         displayName: Privileged
         path: privileged
       - description: ProjectName is the name of the OpenStack project for Horizon
@@ -380,11 +382,12 @@ spec:
         displayName: Parallel
         path: parallel
       - description: 'Use with caution! This parameter specifies whether test-operator
-          should spawn test pods with allowedPrivilegedEscalation: true and the default
-          capabilities on top of capabilities that are usually needed by the test
-          pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed
-          for certain test-operator functionalities to work properly (e.g.: extraRPMs
-          in Tempest CR, or certain set of tobiko tests).'
+          should spawn test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem:
+          false, runAsNonRoot: false, automountServiceAccountToken: true, and the
+          default capabilities on top of capabilities that are usually needed by the
+          test pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it
+          is needed for certain test-operator functionalities to work properly (e.g.:
+          extraRPMs in Tempest CR, or certain set of tobiko tests).'
         displayName: Privileged
         path: privileged
       - description: StorageClass used to create any test-operator related PVCs.
@@ -398,6 +401,11 @@ spec:
       - description: A content of exclude.txt file that is passed to tempest via --exclude-list
         displayName: Exclude List
         path: tempestRun.excludeList
+      - description: The expectedFailuresList parameter contains tests that should
+          not count as failures. When a test from this list fails, the test pod ends
+          with Completed state rather than with Error state.
+        displayName: Expected Failures List
+        path: tempestRun.expectedFailuresList
       - description: ExternalPlugin contains information about plugin that should
           be installed within the tempest test pod. If this option is specified then
           only tests that are part of the external plugin can be executed.
@@ -662,6 +670,11 @@ spec:
       - description: A content of exclude.txt file that is passed to tempest via --exclude-list
         displayName: Exclude List
         path: workflow[0].tempestRun.excludeList
+      - description: The expectedFailuresList parameter contains tests that should
+          not count as failures. When a test from this list fails, the test pod ends
+          with Completed state rather than with Error state.
+        displayName: Expected Failures List
+        path: workflow[0].tempestRun.expectedFailuresList
       - description: ExternalPlugin contains information about plugin that should
           be installed within the tempest test pod. If this option is specified then
           only tests that are part of the external plugin can be executed.
@@ -904,11 +917,12 @@ spec:
         displayName: Private Key
         path: privateKey
       - description: 'Use with caution! This parameter specifies whether test-operator
-          should spawn test pods with allowedPrivilegedEscalation: true and the default
-          capabilities on top of capabilities that are usually needed by the test
-          pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed
-          for certain test-operator functionalities to work properly (e.g.: extraRPMs
-          in Tempest CR, or certain set of tobiko tests).'
+          should spawn test pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem:
+          false, runAsNonRoot: false, automountServiceAccountToken: true, and the
+          default capabilities on top of capabilities that are usually needed by the
+          test pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it
+          is needed for certain test-operator functionalities to work properly (e.g.:
+          extraRPMs in Tempest CR, or certain set of tobiko tests).'
         displayName: Privileged
         path: privileged
       - description: Public Key

diff --git a/pkg/ansibletest/job.go b/pkg/ansibletest/job.go
@@ -47,8 +47,9 @@ func Job(
 					Labels: labels,
 				},
 				Spec: corev1.PodSpec{
-					RestartPolicy:      corev1.RestartPolicyNever,
-					ServiceAccountName: instance.RbacResourceName(),
+					AutomountServiceAccountToken: &instance.Spec.Privileged,
+					RestartPolicy:                corev1.RestartPolicyNever,
+					ServiceAccountName:           instance.RbacResourceName(),
 					SecurityContext: &corev1.PodSecurityContext{
 						RunAsUser:  &runAsUser,
 						RunAsGroup: &runAsGroup,